Prometheus Blogs

FISMA In A Sesame Seed

01/27/2016

FISMA is a law (The Federal Information Security Management Act of 2002) which requires the protection of federal information resources. FISMA is a part (Title III) of the E-Government Act of 2002. FISMA was later updated by The Federal Information Security Modernization Act of 2014 (also called FISMA).

FISMA requires1 compliance with NIST Federal Information Processing Standards (FIPS). FISMA also requires annual review of federal information security, with the results reported to the Office of Management and Budget (OMB), which in turn reports to Congress. OMB Circular A-130 provides policy on how to implement FISMA.

Federal Acquisition Regulation (FAR) sections 7.103 (v) and (w) require agencies to pass NIST compliance down to vendors. The push-down requirement can manifest itself (for example) in the form contractual clauses that contain content specified by the Code of Federal Regulations (CFR) clause 52.239-72.

In addition to FIPS, NIST publishes many security documents in the Special Publication (SP) 800 series. Most of these are non-compulsory guidance, as far as FISMA is concerned. SP 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations” is explicitly required by FISMA, through FIPS 200. Other NIST special publications may also be required. For example, the above mentioned CFR clause additionally requires (among other things): SP 800-18 “Guide for Developing Security Plans for Federal Information Systems”, SP 800-26 “Security Self Assessment Guide for Information Technology Systems” (which is obsolete, superseded by SP 800-53), SP 800-30 “Guide for Conducting Risk Assessments”], and SP 800-37 “Guide for Applying the Risk Management Framework to Federal Information Systems”

The main NIST security methodological guidance is the Risk Management Framework (RMF), described in NIST Special Publication 800-37. SP 800-37 in turn references many other documents, on the development of security plans, risk assessments, security control selection, and security control evaluation.

Intelligence and military agencies use ICD 503, or the DoD RMF 2,3 instead of the NIST RMF. Cloud applications use FedRAMP.


  1. The FIPS compliance requirement is specified in a roundabout way: NIST is directed to make standards and guidelines, and the Secretary of Commerce is required to prescribe compulsory standards. The FIPS standards are designated as compulsory. NIST also has many Special Publications in the SP 800 series, which are mostly guidelines rather than requirements.

  2. http://www.dtic.mil/whs/directives/corres/pdf/850001_2014.pdf

  3. http://www.dtic.mil/whs/directives/corres/pdf/851001_2014.pdf

Reader Comments
Leave a Comment

Back